Update on Workplace Learning, Human Performance and Productivity with Charles Jennings
🎧 openSAP https://lnkd.in/esBTikdv
Apple https://podcasts.apple.com/de/podcast/education-newscast-english-edition/id1535764834
Spotify https://open.spotify.com/show/0GIxqSvAoh0pTOB6AWLGCR
This podcast was recorded on the SAP Training and Change Forum with Charles Jennings, known to many as a long-time promoter of the 70:20:10 model. #epss #workplacelearning #performance #productivity #podcast

4) Finally, Jay Jacobs, Ben Edwards, Octavian Suciu , Armin Sarabi and I deployed an updated ML model to estimate the probability that a vulnerability will be exploited in the wild, #epss. We presented in Montreal this month to an international audience of computer response teams. The prediction scores for all 200k vulns are available freely at https://www.first.org/epss/data_stats . The paper describing the new model and results will be presented at Europe’s Workshop on cybercrime held with the IEEE Euro Privacy and Security conference (WACCO), and WEIS. Full paper at https://arxiv.org/pdf/2302.14172.pdf .

Join us for the third live webinar in our new monthly webinar series! This month, Jay Jacobs & Ben Edwards join us for a look into the Exploit Prediction Scoring System.

In this talk, we'll share a bit about the new EPSS updates, discuss the increasing data and partnerships, how we use EPSS and how you can benefit from the Exploit Prediction Scoring System.

Get an inside look into the open, data-driven effort for estimating the likelihood that a software vulnerability will be exploited in the wild with Ben & Jay!

Register: https://us02web.zoom.us/webinar/register/WN_FHnATAyWTzG_lsjH3PkbLQ

#Webinar #infosecurity #cybersecurity #riskmanagement #exploits #EPSS

📢 neuer Podcast: Wissenschaftliche Erkenntnisse zu EPSS & Workplace Learning Support mit Tamara Vanessa Leiß, Andreas Rausch & Jürgen Seifried 🎧 openSAP https://lnkd.in/dYv5pkwi
🎧 Apple https://lnkd.in/duWKsEZx
🎧 Spotify https://lnkd.in/d2S_hZAq #epss #workplacelearning #lernen #performance

We’ve just released a paper describing our next gen #EPSS model for estimating vuln exploitation. Lots of great work by the team and the #FIRST SIG went into this. The scoring will go live March 7th, but in the meantime, you can see the paper at:

Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights

https://arxiv.org/abs/2302.14172

Jay Jacobs, Sasha Romanosky, Octavian Suciuo, Benjamin Edwards, Armin Sarabi

We are now showing #EPSS scores and if a #vulnerability is on the #CISA "Known Exploited Vulnerability" list.

Also, we think the CISA logo looks pretty awesome lol

With the latest 0.4.0 release, bomber (https://github.com/devops-kung-fu/bomber) now supports enrichment of vulnerability data! Our first enrichment adds EPSS scores into the vulnerability output. What's an EPSS score? It tells us the probability that a vulnerability will be exploited.

#sbom #epss #vulnerabilitymanagement #devsecops

@gdbassett with our exploit prediction model, #EPSS, we spend a lot of time thinking about how to better communicate very low exploit probabilities to people in an intuitive way. I don’t think we’ve solved it. The best we have come up with is using rank ordering (Eg 1st, 2nd, 3rd, etc).

I don’t suppose you’ve found better ways of communicating low probabilities?

#infosec
I posted about #EPSS earlier and asked if anyone used it. One of my co-workers has sent me [an article from CSO Online]( https://www.csoonline.com/article/3680570/epss-explained-how-does-it-compare-to-cvss.html) that provides an analysis of the strengths and weaknesses of EPSS.
One weakness that I absolutely agree with is that EPSS is still tied to #CVE and CVEs do not exist for every vulnerability, especially brand new, emerging threats.

That begs the question: if not CVE, then what?

@lunasec @breadchris @freeqaz 📺 🤔 👍 #CVSS #EPSS #API

#epss #infosec Does anyone use the Exploit Prediction Scoring System as part of their risk analysis? The data from EPSS is one of the data points we use to help shift something from a lower priority to higher priority. If you don't know what EPSS is, I pulled information from their websites below.

I just hope this Markdown works.

The Exploit Prediction Scoring System (EPSS) model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited.

EPSS was first developed in the summer of 2019 and initially presented at BlackHat that same year. Since then, a Special Interest Group (SIG) has been working hard at FIRST to build a scalable computing infrastructure to ingest and process multiple data sources. In fact, through community partnerships and the work of EPSS SIG members, EPSS is currently collecting multiple different data sources, most of them daily including but not limited to the following list:

1. MITRE’s CVE List - Only CVEs in the “published” state are scored
2. Text-based “Tags” derived from the CVE description and other sources talking about the vulnerability
3. Count of how many days the CVE has been published
4. Count of how many references are listed in the CVE
5. Published Exploit code in any of: Metasploit, ExploitDB and/or Github
6. Security Scanners: Jaeles, Intrigue, Nuclei, sn1per
7. CVSS v3 vectors in the base score (not the score or any subscores) as published in the National Vulnerability Database (NVD)
8. CPE (vendor) information as published in NVD
9. Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.

The current EPSS model (v2022.01.01) was trained with 1,164 variables, most of which were boolean values representing the presence of a specific attribute (i.e. was Microsoft the vendor? Does this CVE have an exploit included in the metasploit framework?). Details about the full model development of earlier models are available in our research papers (see links below). The current model was trained with Gradient Boosting, specifically poisson rate with exposure.

3/n
Finally, I am a member of DHS’s Data Integrity and Privacy Advisory Committee, where we seek to advisor the Chief Privacy Office, and the Secretary, on important privacy matters.

My website: https://romanosky.net

#CVSS: https://www.first.org/cvss/
#EPSS: https://www.first.org/epss/

I’m addition, I am one of the original authors of #CVSS. Back almost 20 years ago, there was no open standard that could capture the severity of a #CVE, so it was the best we could do. And it worked. Pretty well, actually. For a while.

But now our thinking has evolved. Vuln severity isn’t enough. We want to know about exploitation in the wild. And so the amazing Jay Jacobs, I, and others developed #EPSS, an entirely data driven way of estimating the probability that a vuln will be exploited.

@DavidJBianco well, not on my archive, per se, but we (from #epss are collecting mentions of CVEs with the idea of feeding them into our exploit prediction model. Of course, now we may need to also set up a feed for mastodon. (See https://www.first.org/epss/model)

We need more #cyberinsurance and #cybercrime people here! Also, those with a dose of #cvss (vuln severity) and #epss (vuln exploit prediction, https://www.first.org/epss/model).